Любитель брутфорса (Bruteforce Lover)

hackerlab

Task: Grav CMS 1.7.10 boot2root box. Solution: fuzz an encrypted ZIP, crack it with zip2john to get admin creds, exploit authenticated Grav Twig SSTI (CVE-2021-29440) for RCE, crack a PGP private-key passphrase with gpg2john and decrypt a message to pivot to user gravman, then escalate to root via Python library hijacking (local random.py) of a NOPASSWD sudo script.

ssti privilege_escalation web pgp sudo gpg python_library_hijacking grav cve-2021-29440 file_upload_fuzzing boot2root

zip2john_password_crackinggpg2john_passphrase_crackingpgp_message_decryptiongrav_ssti_rcetwig_filter_systempython_library_hijackingsudo_python_script_privesclogin_rate_limit_xff_bypassfile_fuzzing

$ ls tags/ techniques/

ssti privilege_escalation web pgp sudo gpg python_library_hijacking grav cve-2021-29440 file_upload_fuzzing boot2root

zip2john_password_crackinggpg2john_passphrase_crackingpgp_message_decryptiongrav_ssti_rcetwig_filter_systempython_library_hijackingsudo_python_script_privesclogin_rate_limit_xff_bypassfile_fuzzing

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[infra][Pro]Возрождение (Rebirth)— hackerlab
[forensics][Pro]ZipLock— hackerlab
[infra][Pro]Подземелье (Dungeon)— hackerlab
[crypto][Pro]Брутфорс— duckerz
[forensics][Pro]Evil Matryoshka— taipanbyte